Offense chaining

IBM® QRadar® chains offenses together to reduce the number of offenses that you need to review, which reduces the time to investigate and remediate the threat.

Offense chaining helps you find the root cause of a problem by connecting multiple symptoms together and showing them in a single offense. By understanding how an offense changed over time, you can see things that might be overlooked during your analysis. Some events that would not be worth investigating on their own might suddenly be of interest when they are correlated with other events to show a pattern.

Offense chaining is based on the offense index field that is specified on the rule. For example, if your rule is configured to use the source IP address as the offense index field, there is only one offense that has that source IP address for while the offense is active.

You can identify a chained offense by looking for preceded by in the Description field on the Offense Summary page. In the following example, QRadar combined all of the events that fired for each of the three rules into one offense, and appended the rule names to the Description field:

Exploit Followed By Suspicious Host Activity - Chained 
preceded by Local UDP Scanner Detected 
preceded by XForce Communication to a known Bot Command and Control